[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: OSSEC error message blows up log file

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: OSSEC error message blows up log file
From: David Williams <davewill@xxxxxxxxxxxx>
Date: Thu, 02 Aug 2007 23:01:30 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That could surely be it then.  No need for you to look a the
database?  I wonder if that is John's problem as well.  Could that
be built in to syscheck_update (or add a wrapper script to the
distribution)?
At any rate, thanks for pointing that out.
- -David

Daniel Cid wrote:
> Hi David,
> 
> The issue with syscheck_update is that it requires restaring the
> server after you
> use that. Otherwise, you can get some very weird errors (like the one
> mentioned).
> The best way to do it is by:
> 
> -Stopping server.
> -Running syscheck_update
> -Starting server.
> 
> Maybe that was the issue?
> 
> Thanks,
> 
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> 
> 
> On 8/2/07, David Williams <davewill@xxxxxxxxxxxx> wrote:
> Daniel,
>         I was just writing to say I've not seen that problem in a while --
> but I just checked the logs and it's back.  I upgraded the server
> which required a reboot recently and I believe I did a
> syscheck_update -a after that.  I've also just swapped some machines
> around (same name and IP became different hardware); when I did
> that, I removed the old agent and created a new agent, with a new,
> higher ID.  And I don't see how this makes a difference but I have
> ossec installed in /home/ossec (where I have lots of room to grow).
>  All of these systems now have been rebuilt recently with 1.2.
>         I have a gzipped tar file of the directory (334K) and a gzipped
> copy of ossec.log (3.4M); where should I send them (and do you want
> the log file)?
>         -David
> 
> 
> Daniel Cid wrote:
>>>> Hi John (and David),
>>>>
>>>> I never saw these message myself on ossec since they can only happen if your
>>>> integrity checking database gets corrupted. It could happen if you upgraded from
>>>> an old version of ossec (before 1.0) and the upgrade didn't work out
>>>> very well....
>>>>
>>>> Can you send me a zipped (or gziped) copy of your /var/ossec/queue/syscheck?
>>>> I want to see what is wrong in there...
>>>>
>>>> Btw, is anyone else seeing those? If yes, please send me a copy of the above
>>>> directory to debug...
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> --
>>>> Daniel B. Cid
>>>> dcid ( at ) ossec.net
>>>>
>>>> On 7/31/07, David Williams <davewill@xxxxxxxxxxxx> wrote:
>>>> John,
>>>>         Daniel will be able to explain further I'm sure.  It appears there
>>>> are null string (missing) names in your integrity database.  Those
>>>> messages look like warnings rather than serious errors (the testing
>>>> just moves on to the next entry).  In my case, when I start to see
>>>> those, I stop ossec, delete the databases and let ossec rebuild
>>>> them.  I'm sure that's not the best way to deal with the issue
>>>> though....
>>>>         -David
>>>>
>>>> John Whittington wrote:
>>>>>>> Hi   I'm pretty new to OSSEC, please bear with me:
>>>>>>> I recently set up OSSEC-HIDS to manage several RHEL machines   our
>>>>>>> organization's web servers. One machine was set up as the server with 13
>>>>>>> agents. I configured them with the install script and pretty quickly
>>>>>>> seemed to get them up and running. I am having two problems, one of
>>>>>>> which concerns false positives, but I'll post that to a different thread.
>>>>>>> My immediate problem is this: in the past week I've been getting the
>>>>>>> following error showing up in log/ossec.log:
>>>>>>>
>>>>>>> ossec-analysisd: Invalid integrity message in the database.
>>>>>>>
>>>>>>> When it returns this error, it does so many times over; typically > 500
>>>>>>> times in the last three days, but on Friday it wrote this error 668,072
>>>>>>> times. Needless to say our ossec.log file has suddenly gotten rather
>>>>>>> large. I've restarted OSSEC on the server a few times now without it
>>>>>>> seeming to make any difference.
>>>>>>>
>>>>>>> Can anyone tell me what this error means? I only found one page on the
>>>>>>> OSSEC site that mentions it specifically, and it was a thread from the
>>>>>>> dev mailing list. Unfortunately I'm no C programmer. FWIW OSSEC itself
>>>>>>> seems to keep working fine, and still alerts us to events like new users
>>>>>>> logging in or changes to system files. Any feedback would be
>>>>>>> appreciated; I can send more detailed info as requested.
>>>>>>> Thanks   John
>>

- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGspqJCzuSgviBh00RAsgHAKCDljKAd9b8xydWcK2EdWVTf/81KgCdG06L
Qe0D0tWFHtH7Xhq3dAm6zsQ=
=gOOw
-----END PGP SIGNATURE-----

References:
- [ossec-list] Re: OSSEC error message blows up log file
  - From: David Williams
- [ossec-list] Re: OSSEC error message blows up log file
  - From: Daniel Cid
- [ossec-list] Re: OSSEC error message blows up log file
  - From: David Williams
- [ossec-list] Re: OSSEC error message blows up log file
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: OSSEC-- File integrity check??
Next by Date: [ossec-list] Re: OSSEC-- File integrity check??
Previous by thread: [ossec-list] Re: OSSEC error message blows up log file
Next by thread: [ossec-list] OSSEC-- File integrity check??
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.